qcacmn: Abort scan cancel upon failure to get vdev ref

ucfg_scan_cancel currently grabs a vdev reference unconditionally. This
opens the possibility of operating on a destroyed vdev. Instead, try to
get a vdev reference, and abort the scan cancel operation if a reference
cannot be obtained.

Change-Id: I6380775c6cd09920ad70feed0ec67e4c85ba890d
CRs-Fixed: 2149645

umac/scan/dispatcher/src/wlan_scan_ucfg_api.c

@@ -588,11 +588,11 @@ ucfg_scan_cancel(struct scan_cancel_request *req)
 		req->cancel_req.requester, req->cancel_req.scan_id,
 		req->cancel_req.vdev_id, req->cancel_req.req_type);
 
-	/* Get vdev reference unconditionally.
-	 * Reference will be released once scan cancel is
-	 * posted to FW.
-	 */
-	wlan_objmgr_vdev_get_ref(req->vdev, WLAN_SCAN_ID);
+	status = wlan_objmgr_vdev_try_get_ref(req->vdev, WLAN_SCAN_ID);
+	if (QDF_IS_STATUS_ERROR(status)) {
+		scm_info("Failed to get vdev ref; status:%d", status);
+		goto req_free;
+	}
 
 	msg.bodyptr = req;
 	msg.callback = scm_scan_cancel_req;
@@ -601,10 +601,17 @@ ucfg_scan_cancel(struct scan_cancel_request *req)
 	status = scheduler_post_msg(QDF_MODULE_ID_OS_IF, &msg);
 	if (QDF_IS_STATUS_ERROR(status)) {
 		scm_err("failed to post to QDF_MODULE_ID_OS_IF");
-		wlan_objmgr_vdev_release_ref(req->vdev, WLAN_SCAN_ID);
-		qdf_mem_free(req);
+		goto vdev_put;
 	}
 
+	return QDF_STATUS_SUCCESS;
+
+vdev_put:
+	wlan_objmgr_vdev_release_ref(req->vdev, WLAN_SCAN_ID);
+
+req_free:
+	qdf_mem_free(req);
+
 	return status;
 }